Viacom exposes crown jewels to world+dog in AWS S3 bucket blunder

Passwords, server schematics and encryption keys up for grabs in open file store

Media monster Viacom has been caught with its security trousers down. Researchers found a wide-open, public-facing misconfigured AWS S3 bucket containing pretty much everything a hacker would need to take down the company's IT systems.

The data store, found by Chris Vickery, director of Cyber Risk Research at security shop UpGuard, contained 72 compressed .tgz files in a folder labelled mcs-puppet – which appears to be Viacom's Multiplatform Compute Services division, which handles IT systems for the firm.

"The contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom's IT infrastructure," the advisory states. "The presence of this data in an S3 bucket bearing MCS's name appears to further corroborate the Viacom group's mission of moving its infrastructure onto Amazon Web Services' cloud."

The Amazon-hosted bucket contained the passwords and manifests for Viacom's servers, as well as the access key and secret key for the corporation's AWS account. Some of the data was encrypted using GPG, but that wouldn't be an issue because the bucket also contained the GPG decryption keys.

Basically, had a hacker found this before Vickery, they would have had all the tools they needed to phish customers for their account details, spin up server instances that would accurately mimic Viacom's legitimate systems for use as a botnet or for other nefarious purposes, or provide invaluable information to allow hackers to take a trawl through Viacom's own networks.